vault-search
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Prompt Injection (LOW): The skill is susceptible to indirect prompt injection. Malicious instructions stored within Obsidian notes could be retrieved during search operations and influence the agent's behavior. • Ingestion points: All markdown files located in /Users/roasbeef/vault. • Boundary markers: Absent; there are no instructions provided to the agent to treat retrieved vault content as data rather than instructions. • Capability inventory: The skill utilizes 'Bash(python:*)' for execution and has 'Read' access to the filesystem. • Sanitization: No sanitization or escaping of note content is described.
- Command Execution (LOW): The skill executes external Python scripts (search.py, dataview.py, index.py). While these facilitate the skill's primary purpose, the reliance on raw SQL strings and command-line arguments presents a potential for manipulation if the scripts do not implement strict input validation.
- Data Exfiltration (LOW): The skill's documentation contains hardcoded absolute paths (e.g., /Users/roasbeef/vault), which discloses the local system username and internal folder structure.
Audit Metadata